Cyber insurance is asking harder questions — here's how to actually qualify
Insurers now require real controls before they'll cover a cyber incident — and they can deny claims if you misrepresented your setup. Here's what they're actually asking, in plain terms.
A few years ago, getting cyber insurance was not much different from filling out a general business insurance form — a few yes/no questions, a signature, done.
That's changed. Insurers have paid out enough claims to get serious about underwriting, and the questionnaires have gotten more specific. If you're renewing a policy or shopping for one, here's what they're really asking — and why most of it is worth doing regardless.
Why insurers started asking harder questions
Cyber insurance claims spiked, and insurers lost money. The response was predictable: they started looking more carefully at whether the businesses they insured had the basic controls in place before paying out — and sometimes, before even writing the policy.
Two things follow from this. First, if you don't have certain controls, you may not qualify or may pay significantly more. Second, if you check a box on the application that isn't actually true and you have a claim, the insurer can deny coverage entirely.
That second part matters. An honest answer of "no, we don't have that yet" is better than a claim denial after a breach.
The controls they ask about most often
Multi-factor authentication (MFA). MFA is the extra code or app prompt after your password. This comes up on virtually every application now — not just "do you have it" but often "do you have it for email, for remote access, for admin accounts specifically?" An admin account without MFA is exactly the kind of gap an insurer treats as a red flag.
Backups — and whether they actually work. Insurers have learned that a backup stored on the same network that got encrypted by ransomware doesn't help. They'll ask whether you have offline or separate backups, and whether you've tested restoring from them.
Endpoint protection. "Endpoint" just means the computers, phones, and tablets your employees use. Insurers want to know whether they're running up-to-date security software, not just the basic antivirus that came with Windows.
Email filtering. Most breaches start with a phishing email — a message designed to look legitimate and get someone to click a bad link or hand over a password. Insurers want to know whether you have filtering in place to catch the obvious ones before they land in inboxes.
Patching. Software with unpatched security flaws is one of the most common ways attackers get in. Insurers ask whether you have a process for keeping software up to date.
Who has admin access — and how many people. Admin accounts (the ones with full control over your systems) are high-value targets. Insurers want to know the number is small and that those accounts are well-protected.
The encouraging part
Here's what's worth keeping in mind: none of the above was invented by insurance companies. These are the same controls security people have been recommending for years. The insurer questionnaire is, at its core, a checklist of basic security hygiene — formalized because they need something to underwrite against.
That means getting your security in order and qualifying for cyber insurance aren't separate projects. They're the same project.
If your business has MFA enforced everywhere, real backups, updated software, and a short list of carefully managed admin accounts, you're in a solid position — both for the questionnaire and for actual protection.
Where small businesses tend to get tripped up
The most common problem isn't that owners refuse to implement these controls — it's that they're not sure whether they have them.
"I think we have MFA" is not the same as knowing every account has it required. "Someone set up backups a while back" is not the same as knowing when they last ran and whether a test restore has ever been done. The gaps tend to live in the details.
Before you fill out a renewal questionnaire, it's worth actually checking — not assuming.
Tenant Strike connects to your Microsoft 365 and Azure in read-only mode and checks the controls insurers ask about most often: MFA configuration, admin account counts, app permissions, sharing settings, and more. A five-minute scan gives you a clear picture of where you actually stand before you have to write it down on a form.
AI-researched from public sources. We label AI-assisted writing — see our trust page.
See your own risk
Want this for your own Microsoft cloud?
Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.